DomainDetective is a domain, DNS, email, web, and certificate security toolkit for people who want repeatable checks instead of one-off website lookups. It is built around the same analysis engine and exposed through three entry points:
- A C# library for custom automation and integrations
- A PowerShell module for operational scripts and reporting
- A .NET CLI for wizard-driven scans, batch usage, artifacts, and report generation
| Interface | Best for | Runtime |
|---|---|---|
| C# library | Custom workflows, apps, pipelines, SDK-style integration | .NET 8 cross-platform, plus .NET Framework 4.7.2 on Windows |
| PowerShell module | Ad-hoc investigations, scripts, scheduled jobs, exports | PowerShell 5.1 and 7+ |
| CLI | Quick scans, interactive wizard, artifacts, portable reports | .NET 8 |
Most PowerShell checks expose both a fully-prefixed cmdlet and a friendly alias. For example, Test-DDEmailSpfRecord is also available as Test-EmailSpf.
- DNS and infrastructure: NS, SOA, MX, delegation, reverse DNS, FCrDNS, wildcard DNS, zone transfer, TTL, EDNS, open resolver, DNS over TLS, DNS health, DNS amplification, propagation, trace, and inventory.
- Email authentication and transport: SPF, DKIM, DMARC, ARC, BIMI, MTA-STS, TLS-RPT, SMTP TLS, STARTTLS, SMTP banner, SMTP auth posture, IMAP/POP3 TLS, open relay, email validation, and mail latency.
- Web and certificates: HTTP posture, certificate analysis, DANE/TLSA, S/MIMEA, static website scans, redirect chains, third-party inventory, header checks, tracker hints, and technology fingerprints.
- Registry, routing, and reputation: WHOIS, RDAP, RPKI, DNSBL, threat intel hooks, VirusTotal helpers, search engine checks, and domain suggestions/search.
- Discovery and exposure: CT timeline, subdomain discovery, certificate inventory, autodiscover, security.txt, contact TXT, directory exposure, and identity provider hints.
- Outputs and reporting: JSON, HTML, Word, Excel, Markdown, MarkdownHtml, and PDF, plus JSON artifacts for repeated runs and time-series stores.
flowchart LR
A["PowerShell module"] --> D["DomainDetective core analyses"]
B["CLI"] --> D
C["C# library"] --> D
D --> E["Views and JSON"]
D --> F["Reports: HTML, Word, Excel, Markdown, PDF"]
D --> G["Artifacts: scan.json, metrics.json, progress.jsonl"]
D --> H["Stores: DMARC Aggregate, TLS-RPT, registration, cert inventory"]
Import the local module from the repository and run a few common checks:
Import-Module ./Module/DomainDetective.psd1 -Force
Test-DomainHealth -DomainName "example.com"
Test-EmailSpf -DomainName "example.com"
Test-Website -DomainName "example.com"Export a report directly from a scan:
Import-Module ./Module/DomainDetective.psd1 -Force
Test-DomainHealth `
-DomainName "example.com" `
-ExportFormat Html `
-ExportPath ".\artifacts\example-domain-report.html" `
-OpenInBrowserCompose multi-check reports from pipeline output:
Import-Module ./Module/DomainDetective.psd1 -Force
Export-DDSecurityReport -ExportFormat Word -ExportPath ".\artifacts\example-email-auth.docx" {
Test-EmailSpf -DomainName "example.com"
Test-EmailDkim -DomainName "example.com"
Test-EmailDmarc -DomainName "example.com"
}To discover the available PowerShell surface:
Get-Command -Module DomainDetectiveThe repository currently exposes the CLI as a normal .NET application, not as an installed global or local dotnet tool. The supported ways to run it today are:
dotnet run --project DomainDetective.CLI -- ...while developing from sourcedotnet publishand then running the generated app from the publish directory
Run the interactive wizard:
dotnet run --project DomainDetective.CLI --Run a direct health check:
dotnet run --project DomainDetective.CLI -- check example.com --jsonGenerate a report with artifacts:
dotnet run --project DomainDetective.CLI -- GenerateReport example.com --format html --output ./artifacts/example.htmlA few other common entry points:
dotnet run --project DomainDetective.CLI -- AnalyzeMessageHeader --file ./headers.txt --json
dotnet run --project DomainDetective.CLI -- DnsPropagation --domain example.com --record-type A
dotnet run --project DomainDetective.CLI -- ValidateEmail [email protected] --smtp --catch-all
dotnet run --project DomainDetective.CLI -- --helpPublish a local copy of the CLI:
dotnet publish DomainDetective.CLI/DomainDetective.CLI.csproj -c Release -o ./artifacts/cliThen run the published app:
.\artifacts\cli\DomainDetective.CLI.exe --help./artifacts/cli/DomainDetective.CLI --helpOr use the build script introduced in this repository:
pwsh ./Build/Publish-CLI.ps1That script publishes runtime-specific CLI artifacts under Artifacts/ProjectBuild/CLI and creates friendly aliases such as DD.exe on Windows and DD on Unix-like targets.
The example project in DomainDetective.Example shows many protocol-specific flows. The simplest library usage looks like this:
using DomainDetective;
var healthCheck = new DomainHealthCheck();
await healthCheck.Verify("example.com");
Console.WriteLine(healthCheck.ToJson());| Cmdlet | Purpose |
|---|---|
Test-DomainHealth |
Run a broad domain posture assessment |
Test-EmailSpf |
Validate SPF policy and lookup behavior |
Test-EmailDkim |
Inspect DKIM selectors and key strength |
Test-EmailDmarc |
Validate DMARC policy and reporting |
Test-Website |
Run combined web/certificate posture checks |
Test-DnsPropagation |
Query propagation across multiple resolvers |
Test-DesiredState |
Compare a domain to an organization baseline |
Invoke-DDCertificateInventory |
Capture certificate inventory snapshots |
Export-DDSecurityReport |
Build HTML, Word, Excel, or Markdown reports from checks |
| Command | Purpose |
|---|---|
wizard |
Run the interactive scan wizard |
check |
Run direct health checks against one or more domains |
GenerateReport |
Generate reports and artifacts |
DesiredState |
Evaluate a custom baseline against a domain |
ValidateEmail |
Validate an email address with optional SMTP probing |
AnalyzeMessageHeader |
Parse and inspect raw mail headers |
AnalyzeARC |
Analyze ARC headers |
DnsPropagation |
Check resolver propagation |
CertificateInventoryCapture |
Capture certificate inventory snapshots |
CertificateInventorySummary |
Summarize stored certificate inventory snapshots |
CertificateInventoryRisk |
Assess persisted certificate risk posture |
RunsList / RunsOpen |
Browse and open recent artifact runs |
Raw: strongly-typed analysis models suitable for automation and downstream processing.Narrative: human-friendly summaries for CLI and PowerShell views.Highlights: concise status, counts, and key findings for quick review.
DomainOrder:AlphabeticalorInputSectionOrderMode:Canonical,Input, orCustomSectionOrder: explicit section keys when usingCustom
Canonical per-domain section order:
MX, SPF, DKIM, DMARC, DMARC Aggregate, ARC, BIMI, DNSBL, RPKI, Registration, NS, SOA, TTL, ZoneTransfer, Wildcard, CAA, Classification, MTA-STS, TLS-RPT, TLS-RPT Reports, MAILTLS, DNSSEC, DANE
Executive summary columns remain canonical across formats; ordering affects per-domain sections only.
| Prefixed Name | Alias Name | Purpose |
|---|---|---|
Test-DDEmailArcRecord |
Test-EmailArc |
Validate ARC headers |
Test-DDEmailAutoDiscover |
Test-EmailAutoDiscover |
Check mail client discovery |
Test-DDEmailAddress |
Test-EmailAddress |
Validate mailbox reachability |
Test-DDEmailBimiRecord |
Test-EmailBimi |
Verify BIMI record |
Test-DDEmailDkimRecord |
Test-EmailDkim |
Verify DKIM selectors |
Test-DDEmailDmarcRecord |
Test-EmailDmarc |
Verify DMARC policy |
Test-DDEmailSpfRecord |
Test-EmailSpf |
Verify SPF policy |
Test-DDEmailTlsRptRecord |
Test-EmailTlsRpt |
Inspect TLS-RPT |
Test-DDEmailMtaSts |
Test-EmailMtaSts |
Verify MTA-STS policy |
Test-DDEmailStartTls |
Test-EmailStartTls |
Check STARTTLS advertisement |
Test-DDEmailSmtpTls |
Test-EmailSmtpTls |
Check SMTP TLS posture |
Test-DDEmailProtocolTls |
Test-EmailProtocolTls |
SMTP/IMAP/POP3 TLS checks |
Test-DDEmailOpenRelay |
Test-EmailOpenRelay |
Detect open SMTP relay |
Get-DDEmailMessageHeaderInfo |
Get-EmailHeaderInfo |
Parse raw email headers |
Test-DDEmailLatency |
Test-EmailLatency |
Measure SMTP responsiveness |
Test-DDEmailImapTls |
Test-EmailImapTls |
IMAP TLS check |
Test-DDEmailPop3Tls |
Test-EmailPop3Tls |
POP3 TLS check |
Test-DDEmailSmtpBanner |
Test-EmailSmtpBanner |
Inspect SMTP banner |
Test-DDDmarcAggregate |
Test-EmailDmarcAggregate |
Parse DMARC aggregate reports |
New-DDDmarcRecord |
New-DmarcRecord |
Build a DMARC record |
| Prefixed Name | Alias Name | Purpose |
|---|---|---|
Test-DDWebsite |
Test-Website |
Combined website check (certificate plus HTTP posture) |
Test-DDWebsiteSecurity |
Test-WebsiteSecurity |
HTTPS security headers and mixed content |
Test-DDDomainCertificate |
Test-DomainCertificate |
Website certificate and TLS grade |
Test-DDWebsiteStaticScan |
Test-WebsiteStaticScan |
Static website crawl and resource analysis |
| Prefixed Name | Alias Name | Purpose |
|---|---|---|
Test-DDDnsCaaRecord |
Test-DnsCaa |
Verify CAA |
Test-DDDnsNsRecord |
Test-DnsNs |
Verify NS |
Test-DDDnsSoaRecord |
Test-DnsSoa |
Verify SOA |
Test-DDDnsSecStatus |
Test-DnsSec |
Verify DNSSEC |
Test-DDDnsBlacklist |
Test-DnsBlacklist |
Check DNSBL (domain and MX IPs) |
Test-DDMailDomainClassification |
- | Classify sending, receiving, parked, and related signals |
Test-DDDnsOpenResolver |
Test-DnsOpenResolver |
Detect open resolver |
Test-DDDnsDanglingCname |
Test-DnsDanglingCname |
Find dangling CNAME |
Test-DDDnsPropagation |
Test-DnsPropagation |
Check global propagation |
Start-DDDnsPropagationMonitor |
Start-DnsPropagationMonitor |
Start propagation monitor |
Stop-DDDnsPropagationMonitor |
Stop-DnsPropagationMonitor |
Stop propagation monitor |
Test-DDDnsTtl |
Test-DnsTtl |
TTL analysis |
Test-DDDnsTunneling |
Test-DnsTunneling |
Detect DNS tunneling from logs |
Test-DDDnsWildcard |
Test-DnsWildcard |
Detect wildcard catch-all behavior |
Test-DDDnsEdnsSupport |
Test-DnsEdnsSupport |
EDNS support |
Test-DDDnsHealth |
Test-DnsHealth |
Authoritative SOA, apex, and TTL consistency |
Test-DDDnsSmimeaRecord |
Test-DnsSmimea |
S/MIMEA |
Test-DDDnsForwardReverse |
Test-DnsFcrDns |
FCrDNS |
Test-DDDnsMxRecord |
Test-DnsMx |
MX records |
Test-DDDnsDelegation |
Test-DnsDelegation |
Parent NS and glue consistency |
Test-DDDnsReverseDns |
Test-DnsReverseDns |
Reverse DNS |
Test-DDDnsZoneTransfer |
Test-DnsZoneTransfer |
AXFR exposure |
Test-DDDnsAmplification |
Test-DnsAmplification |
DNS amplification posture |
Test-DDDnsOverTls |
Test-DnsOverTls |
DNS over TLS |
| Prefixed Name | Alias Name | Purpose |
|---|---|---|
Test-DDDomainContactRecord |
Test-DomainContact |
WHOIS contact sanity |
Test-DDDomainSecurityTxt |
Test-DomainSecurityTxt |
security.txt checks |
Test-DDDomainCertificate |
Test-DomainCertificate |
Website certificate checks |
Test-DDDomainOverallHealth |
Test-DomainHealth |
Composite health view with export support |
Test-DDDesiredState |
Test-DesiredState |
Validate a domain against a desired-state baseline |
Get-DDDomainWhois |
Get-DomainWhois |
WHOIS |
Get-DDDomainFlattenedSpfIp |
Get-DomainFlattenedSpfIp |
Flatten SPF to IPs |
Test-DDDomainThreatIntel |
Test-DomainThreatIntel |
Threat intel lookups |
Get-DDRdap |
Get-Rdap |
RDAP |
Get-DDRdapObject |
Get-RdapObject |
RDAP raw object |
Get-DDSearchEngineInfo |
Get-SearchEngineInfo |
Search engine queries |
Get-DDIdpInfo |
Get-IdpInfo |
Identity provider hints |
| Prefixed Name | Alias Name | Purpose |
|---|---|---|
Test-DDTlsDaneRecord |
Test-TlsDane |
DANE/TLSA |
Get-DDTlsCertificateInfo |
Get-CertificateInfo |
Parse PEM and DER certificates |
Test-DDNetworkIpNeighbor |
Test-NetworkIpNeighbor |
IP neighbors |
Test-DDNetworkPortAvailability |
Test-NetworkPortAvailability |
Port availability |
Test-DDNetworkPortScan |
Test-NetworkPortScan |
Port scan profiles |
Test-DDRpki |
Test-Rpki |
RPKI validation |
| Prefixed Name | Alias Name | Purpose |
|---|---|---|
Add-DDDnsblProvider |
Add-DnsblProvider |
Manage DNSBL providers |
Remove-DDDnsblProvider |
Remove-DnsblProvider |
Manage DNSBL providers |
Clear-DDDnsblProviderList |
Clear-DnsblProvider |
Manage DNSBL providers |
Import-DDDnsblConfig |
Import-DnsblConfig |
Import DNSBL provider configuration |
Import-DDDmarcReport |
Import-DmarcReport |
Import DMARC aggregate zip |
Import-DDDmarcForensic |
Import-DmarcForensic |
Import DMARC forensic zip |
Import-DDEmailTlsRpt |
Import-EmailTlsRpt |
Import TLS-RPT JSON |
Set-DDExportOptions |
Set-ExportOptions |
Set default export/report options |
Set-DDPersona |
Set-DDNarrator |
Set narration persona |
| Prefixed Name | Alias Name | Purpose |
|---|---|---|
Import-DDDmarcAggregateSnapshot |
Import-DmarcAggregateSnapshot |
DMARC aggregate snapshots into a store |
Get-DDDmarcAggregateTimeSeries |
Get-DmarcAggregateTimeSeries |
DMARC aggregate time-series view |
Import-DDTlsRptReportSnapshot |
Import-TlsRptReportSnapshot |
TLS-RPT reports into a store |
Get-DDTlsRptReportsTimeSeries |
Get-TlsRptReportsTimeSeries |
TLS-RPT reports time-series view |
Import-DDRegistrationSnapshot |
Import-RegistrationSnapshot |
WHOIS and RDAP registration snapshot into a store |
Get-DDRegistrationDrift |
Get-RegistrationDrift |
Registration drift view |
Invoke-DDCertificateInventory |
- | Capture certificate inventory snapshots |
Get-DDCertificateInventorySnapshot |
- | Read persisted certificate inventory snapshots |
Get-DDCertificateInventorySummary |
Get-CertificateInventorySummary |
Summarize inventory snapshots |
Get-DDCertificateInventoryRisk |
Get-CertificateInventoryRisk |
Evaluate risk across snapshots |
Get-DDCertificateInventoryDrift |
Get-CertificateInventoryDrift |
Detect certificate drift |
Get-DDCertificateInventoryPolicy |
Get-CertificateInventoryPolicy |
Evaluate inventory against policy |
Get-DDCertificateInventoryReuse |
Get-CertificateInventoryReuse |
Map certificate reuse |
PowerShell:
Test-DDEmailAddress -EmailAddress "[email protected]" -SmtpProbe -CheckCatchAllCLI:
dotnet run --project DomainDetective.CLI -- ValidateEmail [email protected] --smtp --catch-all --smtp-max-hosts 2Custom SMTP rules:
Test-DDEmailAddress -EmailAddress "[email protected]" -SmtpProbe -SmtpRulesPath "./smtp-rules.json"dotnet run --project DomainDetective.CLI -- ValidateEmail [email protected] --smtp --smtp-rules ./smtp-rules.json --no-builtin-smtp-rulesUseful controls:
-EnableProviderWebChecksor--provider-webenables provider-specific web checks when available.-ProtonAuthCookieand-ProtonUidor--proton-authand--proton-uidenable Proton-specific checks.-SmtpRulesPathor--smtp-rulessupplies custom SMTP rules JSON.-DisableBuiltinSmtpRulesor--no-builtin-smtp-rulesignores built-in SMTP rules.-AllowB2CCatchAllor--allow-b2c-catch-allallows catch-all probing for consumer providers.-AllowInvalidSmtpCertificatesor--smtp-allow-invalid-certskips SMTP TLS certificate validation.-SmtpTimeoutSeconds,-SmtpRetryDelaySeconds, and-SmtpProbeDelaySecondstune SMTP timing and pacing.-B2CProvidersPathand-DisableFreeProvidersAsB2Ccontrol B2C provider classification behavior.
Notes:
- Built-in SMTP rules are enabled by default.
- See
Docs/EmailSmtpRules.mdfor schema, examples, and Proton auth notes. - Provider web checks rely on undocumented endpoints and may change or rate-limit without notice.
- Avoid passing Proton auth values through command history when possible.
- SMTP probing can trigger provider abuse protections during bulk runs.
PowerShell:
Import-Module ./Module/DomainDetective.psd1 -Force
Test-DomainHealth -DomainName "example.com" -ExportFormat Html -ExportPath ".\Reports\example.html"CLI:
dotnet run --project DomainDetective.CLI -- GenerateReport example.com --format word --output ./Reports/example.docxUse this path when you want a broad posture report covering DNS, email, web, certificates, and selected discovery sections.
Use Desired State when "best practice" is not enough and you need to compare domains to your own organization-specific baseline.
PowerShell:
Import-Module ./Module/DomainDetective.psd1 -Force
$baseline = New-DesiredState {
New-DDDesiredStateSpf -Enabled $true -MaxDnsLookups 10
New-DDDesiredStateDmarc -Enabled $true -AllowedPolicies reject
}
Test-DesiredState -DomainName "example.com" -Configuration $baselineCLI:
dotnet run --project DomainDetective.CLI -- DesiredState example.com --desired-state ./desired-state.json --format html --output ./Reports/desired-state.htmlDeep dive: Docs/DESIRED_STATE.MD
Use certificate inventory when you need portfolio-wide visibility, persistence, drift tracking, or policy/risk reporting across many domains and endpoints.
PowerShell:
Import-Module ./Module/DomainDetective.psd1 -Force
Invoke-DDCertificateInventory `
-DomainName "example.com","example.org" `
-CacheDirectory .\cert-monitor `
-ReuseRecentResults `
-RecentResultTtlHours 24 `
-IncludeCtSubdomains `
-VerifyCtSubdomainsCLI:
dotnet run --project DomainDetective.CLI -- CertificateInventoryCapture example.com example.org --include-ct-subdomains --verify-ct-subdomains
dotnet run --project DomainDetective.CLI -- CertificateInventorySummary --since-utc 2026-01-01
dotnet run --project DomainDetective.CLI -- CertificateInventoryRisk --expiring-within-days 30 --jsonDeep dive: Docs/CERTIFICATE_INVENTORY.MD
DomainDetective can persist DMARC aggregate, TLS-RPT, and registration snapshots so reports can include historical sections instead of only point-in-time checks.
dotnet run --project DomainDetective.CLI -- ImportDmarcAggregateSnapshot ./Reports/DMARC --store-path ./Store
dotnet run --project DomainDetective.CLI -- ImportTlsRptReportSnapshot example.com ./Reports/TLSRPT --store-path ./Store
dotnet run --project DomainDetective.CLI -- ImportRegistrationSnapshot example.com --store-path ./Store
dotnet run --project DomainDetective.CLI -- GenerateReport example.com --format html --store-path ./Store| Format | Notes |
|---|---|
| HTML | Best overall interactive/default report experience |
| Word | Strong for executive and shareable document output |
| Excel | Useful for matrix/dashboard and analyst workflows |
| Markdown | Lightweight document output |
| MarkdownHtml | HTML generated from the Markdown-style layout |
| JSON | Best for automation and downstream tooling |
| Supported, but currently less feature-rich than HTML/Word/Excel |
Coordinated runs emit structured artifacts under artifacts/<subject>/<timestamp>/.
Typical files:
scan.json: metadata, summary, recommendations, and the fullDomainHealthCheckmetrics.json: counters and timingprogress.jsonl: progress stream for long-running runsindex.jsonl: subject-level run index used byRunsListandRunsOpen
List or open recent CLI runs:
dotnet run --project DomainDetective.CLI -- RunsList --subject example.com --count 5
dotnet run --project DomainDetective.CLI -- RunsOpen --subject example.comCompose any mix of exportable views through the pipeline:
Import-Module ./Module/DomainDetective.psd1 -Force
$spf = Test-DDEmailSpfRecord -DomainName "evotec.pl"
$dnsbl = Test-DDDnsBlacklist -NameOrIpAddress "evotec.pl"
($spf + $dnsbl) | Export-DDSecurityReport -Scope Detailed -ExportFormat Word -ExportPath .\Reports -OpenReportOr use an inline script block:
Import-Module ./Module/DomainDetective.psd1 -Force
Export-DDSecurityReport -Scope Detailed -ExportFormat Markdown -ExportPath .\Reports {
Test-DDEmailSpfRecord -DomainName "evotec.pl","evotec.xyz"
Test-DDEmailDkimRecord -DomainName "evotec.pl","evotec.xyz"
Test-DDEmailDmarcRecord -DomainName "evotec.pl","evotec.xyz"
Test-DDDnsNsRecord -DomainName "evotec.pl"
Test-DDDnsSecStatus -DomainName "evotec.pl"
}Metadata can be set globally:
Set-DDExportOptions -Title "Evotec - Q3 Portfolio Review" -Subject "Executive summary and remediation plan" -Category "Email Security" -Keywords "SPF,DKIM,DMARC" -Creator "Evotec"Or per report:
Export-DDSecurityReport -ExportFormat Word -Title "Evotec - MX Review" -Subject "MX and transport policies"- Most DNS-aware operations accept
-DnsEndpointto control resolution. - Multi-resolver scenarios also support
-DnsEndpointsand-MultiResolverStrategy. - DNS propagation supports additional scope controls such as
-Country,-Location, and-Take. - WHOIS can compare current state to stored snapshots with
-SnapshotPathand-Diff. - Time-series features use
-StorePath. - Output formats include HTML, Word, Excel, PDF, Markdown, MarkdownHtml, and JSON, though support varies by cmdlet.
DNSBL providers can be customized at runtime. The built-in list can be extended, replaced, or filtered depending on how you want blacklist checks to behave.
Useful actions:
- Add providers
- Remove providers
- Clear the current list
- Load providers from JSON
C#:
var analysis = new DNSBLAnalysis();
analysis.AddDNSBL("dnsbl.example.com", comment: "custom");
analysis.RemoveDNSBL("dnsbl.example.com");
analysis.ClearDNSBL();
analysis.LoadDnsblConfig("DnsblProviders.json", overwriteExisting: true);PowerShell:
Add-DnsblProvider -Domain "dnsbl.example.com" -Comment "custom"
Remove-DnsblProvider -Domain "dnsbl.example.com"
Clear-DnsblProvider
Import-DnsblConfig -Path "./DnsblProviders.json" -OverwriteExistingUseful flags:
-TreatAsDomainforces domain mode-TreatAsIpforces IP mode-MaxConcurrencyhints concurrency to the resolver-BlacklistedOnlyreturns only listed results
Certificate analysis includes:
KeyAlgorithmandKeySizeWeakKeyfor keys under 2048 bitsSha1SignatureIsSelfSignedPresentInCtLogs- optional TLS negotiation details when capture is enabled
- optional revocation skipping via
SkipRevocation
Combined website checks return a single summary object:
Test-Website -DomainName "evotec.xyz" | Select-Object Area,Check,Status,Summary,CertificateGrade,HttpGradeDKIM analysis exposes indicators such as:
WeakKeyOldKeyDeprecatedTags
SMTP TLS analysis stores the negotiated certificate and reports expiration details and chain validity for each server.
HTTP posture checks inspect common security headers including:
Content-Security-PolicyReferrer-PolicyX-Frame-OptionsPermissions-Policy- cross-origin policy headers
HttpAnalysis also tracks HSTS preload membership and computes a coarse grade from A through F.
DomainDetective/ Core analyzers, models, and protocol logic
DomainDetective.PowerShell/ Compiled PowerShell cmdlets
DomainDetective.CLI/ Spectre.Console CLI and wizard
DomainDetective.Reports/ Shared reporting abstractions and dispatch
DomainDetective.Reports.Html/ HTML composition reports
DomainDetective.Reports.Office/ Word and Excel reports
DomainDetective.Reports.Markdown/ Markdown and MarkdownHtml reports
DomainDetective.Reports.Pdf/ PDF report generator
DomainDetective.Example/ C# usage samples
Module/ Importable module manifest, scripts, and PowerShell examples
Docs/ Focused feature documentation
DomainDetective.Tests/ Core and PowerShell-facing tests
DomainDetective.CLI.Tests/ CLI tests
If you want runnable PowerShell examples, start in Module/Examples. If you want C# samples, start in DomainDetective.Example.
Restore, build, and run the main test suites:
dotnet restore DomainDetective.sln
dotnet build DomainDetective.sln
dotnet test DomainDetective.Tests/DomainDetective.Tests.csproj
dotnet test DomainDetective.CLI.Tests/DomainDetective.CLI.Tests.csprojRun the PowerShell test harness:
pwsh ./Module/DomainDetective.Tests.ps1NuGet packages:
pwsh ./Build/Build-NuGet.ps1 -Version 0.2.0CLI publish artifacts:
pwsh ./Build/Publish-CLI.ps1 -Version 0.2.0Run both through the shared build driver:
pwsh ./Build/Build-Project.ps1 -Version 0.2.0Preview the plan without executing:
pwsh ./Build/Build-Project.ps1 -PlanOutputs are staged under Artifacts/ProjectBuild:
Artifacts/ProjectBuild/NuGetfor.nupkgfilesArtifacts/ProjectBuild/CLI/<runtime>for published CLI foldersArtifacts/ProjectBuild/CLI/*.zipfor runtime archives when zipping is enabled
GitHub Actions currently validate:
.NET 8on Windows, Linux, and macOS.NET Framework 4.7.2tests on Windows- PowerShell
5.1and7+
Each analysis returns structured properties that map closely to the relevant RFCs or protocol expectations. That means the objects are meant to be usable in automation, not just rendered for humans.
Examples:
- SPF follows RFC 7208 lookup counting behavior and exposes resolved include and redirect chains.
- DKIM tracks minimum key expectations and sets
WeakKeywhen RSA keys are too small. - DMARC aligns policy, reporting, and enforcement posture.
- DANE and S/MIMEA follow their respective record semantics instead of just returning raw TXT strings.
WHOIS and summary data can also surface:
- expiration dates
- registrar lock state
- public suffix detection
C# example:
var health = new DomainHealthCheck();
await health.Verify("example.com");
var summary = health.BuildSummary();
Console.WriteLine($"Expires on: {summary.ExpiryDate}");
Console.WriteLine($"Registrar lock: {summary.RegistrarLocked}");
Console.WriteLine($"Is public suffix: {summary.IsPublicSuffix}");For unified WHOIS and RDAP snapshots with structured drift:
Import-DDRegistrationSnapshot -DomainName "example.com" -StorePath .\Store
Get-DDRegistrationDrift -DomainName "example.com" -StorePath .\StoreC#:
using DnsClientX;
var hc = new DomainDetective.DomainHealthCheck();
hc.DnsEndpoints.Add(DnsEndpoint.CloudflareWireFormat);
hc.DnsEndpoints.Add(DnsEndpoint.Google);
hc.MultiResolverStrategy = DomainDetective.MultiResolverStrategy.FirstSuccess;
await hc.Verify("example.com", new[] { DomainDetective.HealthCheckType.SPF, DomainDetective.HealthCheckType.DNSSEC });
Console.WriteLine($"SPF present: {hc.SpfAnalysis.SpfRecordExists}; DS count: {hc.DnsSecAnalysis.DsRecords.Count}");PowerShell:
Import-Module ./Module/DomainDetective.psd1 -Force
$domain = "evotec.pl"
$resolvers = @(
[DnsClientX.DnsEndpoint]::CloudflareWireFormat,
[DnsClientX.DnsEndpoint]::Google
)
Test-DDDomainOverallHealth -DomainName $domain -DnsEndpoints $resolvers -MultiResolverStrategy FirstSuccess -ExportFormat Word -ExportPath ".\Reports"Start with these focused docs:
Docs/DESIRED_STATE.MDDocs/CERTIFICATE_INVENTORY.MDDocs/DNS_PROPAGATION.MDDocs/CT_TIMELINE.MDDocs/DNS_INVENTORY.MDDocs/HTTP_POSTURE.MDDocs/IP_ENRICHMENT.MDDocs/SUBDOMAINS.MDDocs/EmailSmtpRules.md
If you just want one-off web lookups instead of local automation, common alternatives include:
See TODO.md for the current backlog and roadmap.
Issues, ideas, and pull requests are welcome. If you are not sure where to start, open an issue with the scenario you are trying to automate or the analysis gap you want covered.